Maintaining encryption key integrity

ABSTRACT

Provided are a method, system, and article of manufacture, wherein a first write only register is maintained in an encryption engine of a cryptographic unit. A second write only register is maintained in a decryption engine of the cryptographic unit. A cryptographic key is written in the first write only register and the second write only register, wherein the cryptographic key is inaccessible for reading from any entity that is external to the cryptographic unit.

BACKGROUND

1. Field

The disclosure relates to a method, system, and article of manufacturefor maintaining encryption key integrity.

2. Background

Hardware and software based cryptographic mechanisms may be used forencrypting and decrypting electronic data. Symmetric key cryptography isa cryptographic mechanism in which a sender and a receiver of a messageshare a single, common cryptographic key that is used to encrypt anddecrypt the message, where the message may include a plurality of datarecords. The single common cryptographic key is referred to as asymmetric cryptographic key. In contrast to symmetric key cryptography,public-key cryptography uses two cryptographic keys—a public key toencrypt messages and a private key to decrypt the messages. Symmetrickey cryptography may also be referred to secret key cryptography andsymmetrically encrypted data is data that has been encrypted with asymmetric cryptographic key.

An exemplary cryptographic mechanism is the Advanced Encryption Standard(AES) that can be used to protect: electronic data. The AES uses a typeof symmetric cryptographic key called a symmetric block cipher that canencrypt and decrypt data. Encryption can convert data to anunintelligible form called encrypted data, and decrypting the encrypteddata converts the data back into its original form. Further details ofthe AES may be found in the publication. “Specification for the AdvancedEncryption Standard (AES)”. Federal Information Processing StandardsPublication 197, Nov. 26, 2001.

To further address the issues of electronic data storage protection, the“IEEE Std 1619.1” standard provides mechanisms for data protection byspecifying encryption with authentication and length-expansion. The IEEEStd 1619.1 standard provides methods suitable for ensuring the privacyand integrity of stored data within applications requiring a high levelof assurance. To this end, the IEEE Std 1619.1 standard specifies theAES cipher as used in the Galois/counter mode (GCM) of authenticationand encryption of data. Further details of the IEEE Std 1619.1 standardmay be found in the publication, “IEEE P1619.1™/D8 Draft StandardArchitecture for Encrypted Variable Block Storage Media.” Institute ofElectrical and Electronics Engineers, Inc., June 2006, Further detailsof GCM may be found in the publication, “The Galois/Counter Mode ofOperation (GCM)” by David A, McGrew and John Viega, May 31, 2005. Acryptographic module that supports GCM may use the GCM algorithm thatuses AES with a key of a predetermined length, and such an algorithm maybe referred to as “AES-GCM”. Such exemplary cryptographic mechanisms forelectronic data storage protection may be implemented either in hardwareor software.

SUMMARY OF THE DESCRIBED EMBODIMENTS

Provided are a method, system, and article of manufacture, wherein afirst write only register is maintained in an encryption engine of acryptographic unit. A second write only register is maintained in adecryption engine of the cryptographic unit. A cryptographic key iswritten in the first write only register and the second write onlyregister, wherein the cryptographic key is inaccessible for reading fromany entity that is external to the cryptographic unit.

In additional embodiments, an error in the cryptographic unit causesdifferent values to be stored in the first write only register of theencryption engine and the second write only register of the decryptionengine, in response to writing the cryptographic key.

In yet additional embodiments, an error flag is maintained in thecryptographic unit. A determination is made by microcode included in thecryptographic unit whether the first write only register has a differentvalue than the second write only register. The error flag is set toindicate an error in the cryptographic unit, in response to determiningthat the first write only register has a different value than the secondwrite only register. The error flag is set to indicate properfunctioning of the cryptographic unit, in response to determining thatthe first write only register does not have a different value than thesecond write only register.

In still further embodiments, encrypted data is received for decryptionat the cryptographic unit. The encrypted data is decrypted in thecryptographic unit by using the cryptographic key written in the secondwrite only register of the decryption engine, in response to determiningthat the error flag indicates proper functioning of the cryptographicunit.

In certain embodiments, the cryptographic key is written by microcodeincluded in the cryptographic unit and all pointers that point to thecryptographic key in the cryptographic unit are destroyed after writingthe cryptographic key.

In additional embodiments, writing the cryptographic key results in afirst value being writing to the first write only register and a secondvalue being written to the second write only register, wherein the firstvalue and the second value may be same or different. Data is receivedfor encryption at the cryptographic unit. The received data is encryptedby using the first value written to the first write only register of theencryption engine to generate encrypted data. The encrypted data isdecrypted by using the second value written to the second write onlyregister of the decryption engine to generate decrypted data. Adetermination is made as to whether the decrypted data is the same asthe received data. The generated encrypted data is sent for storage, inresponse to determining that the decrypted data is the same as thereceived data. An error is generated, in response to determining thatthe decrypted data is not the same as the received data.

In further embodiments, the cryptographic key is a previously loadedcryptographic key, wherein a new cryptographic key is loaded byoverwriting the first and the second write only registers with the newcryptographic key.

Certain embodiments are implemented in a cryptographic unit, comprisingmemory, an encryption engine coupled to the memory, a decryption enginecoupled to the memory, a first write only register included in theencryption engine, a second write only register included in thedecryption engine, and a processor coupled to the memory. Certainembodiments are implemented in a storage library, comprising at leastone storage drive, and at least one cryptographic unit included in theat least one storage drive, wherein in certain embodiments the storagelibrary is a tape library. Certain additional embodiments areimplemented in a storage drive comprising a removable storage medium,and at least one cryptographic unit, coupled to the removable storage,wherein in certain embodiments, the storage drive is a tape drive.

BRIEF DESCRIPTION OF THE DRAWINGS

Referring now to the drawings in which like reference numbers representcorresponding parts throughout:

FIG. 1 illustrates a block diagram of a computing environment inaccordance with certain embodiments;

FIG. 2 illustrates a flowchart that shows operations for loadingcryptographic keys into read only registers, in accordance with certainembodiments;

FIG. 3 a illustrates a flowchart for encrypting data, in accordance withcertain embodiments;

FIG. 3 b illustrates a flowchart for decrypting data, in accordance withcertain embodiments; and

FIG. 4 illustrates an embodiment of a storage library, in accordancewith certain embodiments;

FIG. 5 illustrates an embodiment of components in a storage library, inaccordance with certain embodiments;

FIG. 6 illustrates an embodiment of components of a storage drivecapable of interfacing with a removable storage media, in accordancewith certain embodiments; and

FIG. 7 illustrates the architecture of computing system, wherein incertain embodiments elements of the computing environment of FIG. 1 maybe implemented in accordance with the architecture of the computingsystem.

DETAILED DESCRIPTION

In the following description, reference is made to the accompanyingdrawings which form a part hereof and which illustrate severalembodiments. It is understood that other embodiments may be utilized andstructural and operational changes may be made.

Many customers need data encryption to ensure security for data. Certaincustomers may need an assurance that data would be unreadable should thedata ever be lost or stolen. There are several different encryptionmechanisms that can be implemented in hardware to generate encrypteddata. An important element in determining the integrity of the encrypteddata is the handling of the cryptographic key used for generating theencrypted data. If the encryption key is not handled in a secure manner,then in certain situations it may not matter whether the data has beenencrypted or not. In addition, a cryptographic key may need to bevalidated to determine that the cryptographic key is indeed the correctkey for encryption or decryption.

Certain embodiments implement a cryptographic unit to provide a securemethod for handling the cryptographic key such that the cryptographickey can never leave the cryptographic unit in a clear state. Forexample, in certain embodiments a cryptographic key is written to aplurality of write only registers by microcode, and after writing acryptographic key the microcode destroys all storage pointers to thecryptographic key. Multiplexers may protect against any clear keys beingread and the cryptographic keys cannot be read via register interfacesor debug ports.

Certain embodiments provide a comparison function that compares twowrite only registers capable of storing the same cryptographic key,wherein the comparison function can set an error flag to alert themicrocode when values stored in the two registers do not match. Incertain embodiments, the error flag may also be set to alert themicrocode when the cryptographic keys stored in the two write onlyregisters are identical but are of different sizes. For example, if anencryption engine stores a 128-bit cryptographic key and thecorresponding decryption engine stores a 256-bit cryptographic key, thenthe error flag will be set to alert the microcode even if the twocryptographic keys are identical.

In addition, in certain embodiments tire cryptographic unit providesmechanisms for validating the cryptographic key before the cryptographicunit starts reading encrypted data records. If the cryptographic unithas the correct cryptographic key, then decryption can proceed. If thecryptographic unit does not have the correct cryptographic key,decryption is stalled until the cryptographic unit receives the correctcryptographic key.

Exemplary Embodiments

FIG. 1 illustrates a block diagram of a computing environment 100 inaccordance with certain embodiments. The computing environment 100includes at least one storage device 102 that may be coupled to a host104 either directly or over a network such as a storage area network.

The storage device 102 may comprise of one of more tape devices, diskdrives, or any other suitable storage devices known in the art. The host104 may comprise any computational device including those presentlyknown in the art, such as, a personal computer, a workstation, amainframe, a midrange computer, a network appliance, a palm topcomputer, a telephony device, a blade computer, a hand held computer,etc.

The storage device 104 includes at least one cryptographic unit 108,wherein the at least one cryptographic unit 106 may be implemented inapplication specific integrated circuit (ASIC) and may be referred to asan encryption/decryption unit. In still further embodiments, thecryptographic unit 106 may be implemented in software, hardware,firmware, or any combination thereof, inside or outside of the storagedevice 102. For example, the cryptographic unit 106 may be implementedin a computational device outside the storage device 102 or may be astand-alone unit.

The storage device 102 may store symmetrically encrypted data 108 on astorage medium, such as a tape or a disk, in order to provide protectionto data. Data received by the storage device 102 may be encrypted by thecryptographic unit 106 and stored in the storage device 102 assymmetrically encrypted data 108. The storage device 102 may use thecryptographic unit 106 to decrypt any encrypted data.

The cryptographic unit 106 may comprise an encryption engine 110 and adecryption engine 112. The encryption engine 110 and the decryptionengine 112 may be implemented in hardware, software, firmware or anycombination thereof. The encryption engine 110 includes at least onewrite only register 114 in which a cryptographic key 116 can be written.Similarly, the decryption engine 112 includes at least one write onlyregister 118 in which a cryptographic key 120 can he written. Theencryption engine 110 may use the cryptographic key 116 to encrypt data,and the decryption engine 112 may use the cryptographic key 120 todecrypt data that has been encrypted. In certain embodiments, thecryptographic keys 116, 120 are inaccessible for reading from any entitythat is external to the cryptographic unit 106. Cryptographicmechanisms, such as, AES-GCM or other mechanisms may be used by thecryptographic unit 106 to encrypt or decrypt data. A new cryptographickey can only be loaded by overwriting the write only registers 114, 118with the new cryptographic key.

The cryptographic unit 106 may also include microcode 122 that may beused to implement mechanisms for writing cryptographic keys 116, 120 towrite only registers 114, 118 and perform other operations. Themicrocode 122 may include one or more pointers 124 to the cryptographickeys 116, 120, where the pointers 124 are destroyed after writing thecryptographic keys 116, 120.

Additionally, the cryptographic unit includes an error flag 126, wherethe error flag 126 in an indicator implemented in hardware, software,firmware or any combination thereof. An error in the cryptographic unit106 may cause different values to be stored in the write only register114 of the encryption engine 110 and the write only register 118 of thedecryption engine 112, even if the microcode 122 has requested that thesame cryptographic key be stored in the write only register 114 of theencryption engine 110 and the write only register 118 of the decryptionengine 112. The error flag 126 may be set to “1” when different valuesare stored in the write only register 114 and the write only register118. The setting of the error flag to “1” may indicate that thedifferent cryptographic keys are stored in the encryption engine 110 andthe decryption engine 112, wherein cryptographic keys that are identicalhut are of different key lengths are different cryptographic keys. Theerror flag 126 may be set to “0” when same values are stored in thewrite only register 114 and the write only register 118.

The cryptographic unit also includes one or more multiplexers 128, oneor more register interfaces 130 to the write only registers 114, 118 andone or more debug ports 132. The multiplexers 128 may protect againstany clear cryptographic keys from being read out of the cryptographicunit 106. The register interfaces 130 and the debug ports 132 cannot beused to read the cryptographic keys 116, 120 that have been stored inthe write only registers 114, 118.

Therefore, FIG. 1 illustrates certain embodiments in which a first writeonly register 114 is maintained in an encryption engine 110 of acryptographic unit 106 and a second write only register 118 ismaintained in a decryption engine 112 of the cryptographic unit 106. Acryptographic key is written in the first write only register 114 andthe second write only register 118, wherein the cryptographic key isinaccessible for reading from any entity that is external to thecryptographic unit 106. An error in the cryptographic unit 106 can causedifferent values to be stored in the first write only register 114 ofthe encryption engine 110 and tire second write only register 118 of thedecryption engine 112, in response to writing the cryptographic key.

FIG. 2 illustrates a flowchart, that shows operations for loadingcryptographic keys into read only registers, in accordance with certainembodiments. The operations illustrated in FIG. 2 may be implemented inthe cryptographic unit 106 of the computing environment 100.

Control starts at block 200, and the cryptographic unit 106 receives (atblock 202) a cryptographic key 202. The cryptographic key 202 may havebeen provided by the host 104 or by the storage device 102 or by anyother device. The microcode 122 attempts to load (at block 204) thecryptographic key into the write only register 114 of tire encryptionengine 110 and into the write only register 118 of the decryption engine112. Thus the microcode 122 attempts to write the same cryptographic keyto the write only register 114 of the encryption engine 110 and thewrite only register 118 of the decryption engine 112. The loadedcryptographic key is shown as cryptographic key 116 in the write onlyregister 114 and as cryptographic key 120 in the write only register118.

The microcode 122 destroys (at block 206) all pointers 124 to the writeonly register 114 of the encryption engine 110 and the write onlyregister 118 of the decryption engine 112. The destruction of thepointers 124 provides security to the cryptographic keys 116, 120 bypreventing access to the cryptographic keys 116, 120 via the pointers124.

An error in the cryptographic unit 106 may cause different values to bestored in the write only register 114 of the encryption engine 110 andthe write only register 118 of the decryption engine 112, even if themicrocode 122 has requested that the same cryptographic key be writtento the write only register 114 of the encryption engine 110 and thewrite only register 118 of the decryption engine 112. The cryptographicunit 106 determines (at block 208) whether the write only register 114of the encryption engine 110 and the write only register 118 of thedecryption engine 112 have the same data (i.e., identical keys of thesame length are stored in both engines). If so, then the error flag 126is set (at block 210) to “0” to indicate proper functioning of thecryptographic unit 106. If not, then the error flag 126 is set (at block212) to “1” to indicate an error, i.e., an improper functioning of thecryptographic unit 106. Form blocks 210 and 212 control proceeds toblock 214 where the process stops.

Therefore, FIG. 2 illustrates certain embodiments in which a processwrites the same cryptographic key to both an encryption engine 110 and adecryption engine 112 and after writing the cryptographic key verifiesthat the writing has completed properly. If for any reason, thecryptographic keys in 116 are 120 are different then the cryptographicunit 106 indicates an error via the error flag 126.

FIG. 3 a illustrates a flowchart for encrypting data, in accordance withcertain embodiments. The operations illustrated in FIG. 3 a may beimplemented in the cryptographic unit 106 of the computing environment100.

Control starts at block 300, where the cryptographic unit 106 receivesdata for encryption. The cryptographic unit 106 uses the encryptionengine 110 to generate (at block 302) encrypted data from the receiveddata via an application of the cryptographic key 116 stored in the writeonly register 114 of the encryption engine 110. Subsequently, thecryptographic unit 106 decrypts (at block 304) the encrypted data withthe cryptographic key 120 in the decryption engine 112.

The cryptographic unit 106 determines (at block 306) whether thedecryption of the encrypted data matches the received data. If so, thenthe cryptographic unit 106 returns (at block 308) the encrypted data. Ifnot, then the cryptographic unit 106 returns (at block 310) an errorbecause the decryption of the encrypted received data should match thereceived data if the cryptographic unit 106 is functioning properly.

Therefore, FIG. 3 a illustrates certain environments in which acryptographic unit 106 verifies that an encryption of received data isbeing performed properly by determining that a decryption of theencrypted received data matches the received data.

FIG. 3 b illustrates a flowchart for decrypting data, in accordance withcertain embodiments. The operations illustrated in FIG. 3 b may beimplemented in the cryptographic unit 106 of the computing environment100.

Control starts at block 350, where the cryptographic unit 106 receivesencrypted data for decryption. The cryptographic unit 106 determines (atblock 352) whether the error flag 126 indicates proper functioning ofthe cryptographic unit 106. If so, then the cryptographic unit 106decrypts (at block 354) the encrypted data with the cryptographic key120 stored in the write only register 118 of the decryption engine 112.If not, then the cryptographic unit 106 returns (at block 356) an error.

Therefore, FIG. 3 b illustrates certain embodiments in which thecryptographic unit 106 decrypts encrypted data when the error flag 126indicates that the cryptographic unit 106 is functioning properly. Incertain embodiments, the cryptographic unit 106 is functioning properlywhen the same value is stored in the write only register 114 and thewrite only register 118, i.e., the same cryptographic key that, has beenused for encryption is used for decryption.

Certain embodiments protect data by safeguarding cryptographic keys 116,120 in write only registers 114, 118 within a cryptographic unit 106. Averification is performed to ensure that the same cryptographic key thatis used for encryption is used for decryption. The cryptographic keys116, 120 cannot be accessed from entities external to the cryptographicunit 106.

Storage Library and Storage Device Related Embodiments

FIGS. 1, 2, 3 a, 3 b have described certain embodiments which illustratecertain interactions of an encryption/decryption unit 106 with otherelements included in the storage device 102 and the host 104. FIGS. 4-6illustrate certain additional embodiments in which theencryption/decryption unit, i.e., the cryptographic unit, 106 isincluded a storage drive, such as a tape drive, wherein in certainembodiments one or more storage drive may be implemented in a storagelibrary.

FIG. 4 illustrates a storage library, such as an automated tape library402, known in the prior art. The tape library 402 includes a librarycontroller, an input/output station, a picker assembly 404, a carriageassembly 406, storage cells 408 a, 408 b, and optical disk drives (notshown). The term “library element” as used herein refers to any slot inthe automated tape library 402 in which storage cartridges may bedisposed, e.g., the input/output stations, the storage cells 408 a, 408b, etc. The library controller includes a processor, RAM, and othercontrols and interfaces to direct the actions of the library components.The library controller further interacts with a host processor torespond to library commands transmitted from the host processor. Theinput/output station is the opening through which the user may insert orremove a cartridge. An operator panel on the outside of the box housingthe tape library 402 allows the user to communicate with the librarycontroller. When adding a cartridge through the input/output slot, theuser may indicate the addition of a cartridge using the operator panel.The tape library 402 also includes an access door 412 through which theuser may add or remove cartridges maintained in the storage cells 408 a,408 b.

The tape library 402 has two columns of storage cells 408 a, 408 b andstorage drives 410 a, 410 b that perform read and write operations withrespect to the storage media cartridges. A picker assembly 404 iscapable of manipulating the storage media cartridges in the libraryelements. A carriage assembly 406 moves the picker assembly 404, and anymedia storage cartridge held by the picker assembly 404, among thelibrary elements. The carriage assembly 406 transports tire pickerassembly 404 to a destination library element. The picker assembly 404can rotate to turn the storage media cartridge over. The picker assembly404 has a finger mechanism to remove or insert, a storage mediacartridge to a library element. Once inserted in the storage drive 410a, 410 b, data can be read from the storage media cartridge and sent toa host processor. Data transmitted from the host processor can bewritten to the storage media cartridge inserted in a storage drive 410a, 410 b. One or more of the storage cells 408 a, 408 b in each columnmay comprise an Input/Output slot through which a user may remove astorage media cartridge from the tape library 402 or can insert astorage media cartridge into the tape library 402.

In further embodiments, the tape library 402 may include distributedcomputing components, such as distributed controller, distributedstorage cells and distributed picker assemblies. Yet further, the tapelibrary 402 may be partitioned into one or more logical libraries havingmultiple storage drives. Each storage drive may be configuredindependently of any other drive. In addition, groups of storage drivesmay be configured at the same time or with the same settings. This mayinclude all storage drives in a frame, all storage drives in a logicallibrary, all storage drives in a physical library, or all storage drivesselected from a list.

FIG. 5 illustrates an embodiment of an automated storage library 500including a storage array 502, such as the storage cells 408 a, 408 b(FIG. 4), including removable storage media 504 a, 504 b, . . . 504 n;storage drives 506 a, 506 b, . . . ,506 k, such as a tape drive, opticaldisk drive or other interface to which a removable storage media iscoupled to for access: an autochanger mechanism 508 to transferremovable storage media 504 a . . . 504 n between the storage array 502and storage drive 506 a . . . 506 k, such as the picker assembly 404(FIG. 4); and a library controller 510.

The removable storage media 504 a . . . 504 n may comprise any type ofmedia on which data may be stored and which may serve as removablemedia, including but not limited to magnetic media (such as magnetictape or disks), optical media (such as optical tape or disks),electronic media (such as PROM, EEPROM, flash PROM, MRAM, etc.), orother suitable media. In certain embodiments, the removable storagemedia has a cartridge housing, such as the case with a magnetic tapecartridge or a removable disk drive.

In certain embodiments, the library controller 510 is comprised of amicroprocessor and various controls and interfaces to control theoperation of the components in the automated library 500, including theautochanger mechanism 508 and storage drives 506 a . . . 506 k. Thelibrary controller 510 utilizes a memory 512 to store variousinformation, such as a storage media map maintaining information on thelocation of removable storage media 504 a . . . 504 n in the library500, including the content of the library elements in the storage array502. The library controller 510 may comprise a single processing unit ordistributed processing units.

The library controller 510 may further manage read/write operations withrespect to removable storage media 504 a . . . 504 n in the storagelibrary 500. A library operator may directly control operations and themanagement of removable storage media 504 a . . . 504 n through anoperator terminal 514 coupled to the library 500, comprising of adisplay device and keyboard, to interface with the library controller510. Additionally, a host system (not shown) may send commands to thelibrary controller 510 to control operations within the automatedlibrary 500 or perform read or write operations on volumes withinremovable storage media 504 a . . . 504 n managed by the library 500,where the host system may communicate with the library 500 over anetwork or through a direct cable connection.

FIG. 6 illustrates an embodiment of a storage drive 600 that is capableof performing I/O operations with respect to a coupled exemplaryremovable storage media 504 a, 504 b, or 504 n that are capable of beinginserted into the storage drive 600. The storage drive 600 includes I/Omanager code 602 to perform read/write operations with respect to acoupled removable storage media 504 a, 504 b, or 504 n. The storagedrive 600 includes a user interface 604 comprising user controls on thestorage drive 600 housing to configure and control the storage drive600. Further, in certain embodiments, an external user interface 606 mayoptionally be coupled to the storage drive 600 providing additional usercontrols used to configure and control the storage drive 600. Thestorage drive 600 may correspond to the storage device 102 (shown inFIG. 1) and may include one or more communication interfaces 608, theencryption/decryption unit. 106 (shown in FIG. 1), and other elementsshown in the storage device 102 of FIG. 1. In certain embodiments thesymmetrically encrypted data 108 (shown in FIG. 1) may be included inthe storage drive 600 and correspond to one of the removable storagemedia 504 a, 504 b or 504 n.

The user interface 604 and optional external user interface 606 mayinclude user interface elements for interacting with the storage drives506 a . . . 506 k, such as an eject button for manually unloadingremovable storage media 504 a, 504 b or 504 n, up/down buttons fornavigating a list of items, enter/exit buttons for selecting items orexiting from a menu or list, and one or more status displays (e.g., alight or LED (Light Emitting Diode), a numeric display, and alphanumericdisplay, etc.) The external user interface 606 may comprise a computer,workstation, personal computer, palm computer, web user interface,proprietary user interface, or any other device capable of providing auser interface for the storage drives 506 a . . . 506 k.

The encryption/decryption unit 106 and I/O manager code 602 may beimplemented as hardware logic in the storage drive 600 or in computerexecutable instructions that are accessed and executed by a processor(not shown) in the storage drive 600. In certain embodiments the storagedrive 600 is a tape drive.

Additional Embodiment Details

The described techniques may be implemented as a method, apparatus orarticle of manufacture involving software, firmware, micro-code,hardware and/or any combination thereof. The term “article ofmanufacture” as used herein refers to code or logic implemented in amedium, where such medium may comprise hardware logic [e.g., anintegrated circuit chip, Programmable Gate Array (PGA), ApplicationSpecific Integrated Circuit (ASIC), etc.] or a computer readable medium,such as magnetic storage medium (e.g., hard disk drive, floppy disk,tape, etc.), optical storage (CD-ROM, optical disk, etc.), volatile andnon-volatile memory devices [e.g.. Electrically Erasable ProgrammableRead Only Memory (EEPROM), Read Only Memory (ROM), Programmable ReadOnly Memory (PROM), Random Access Memory (RAM), Dynamic Random AccessMemory (DRAM), Static Random Access Memory (SRAM), flash, firmware,programmable logic, etc,]. Code in the computer readable medium isaccessed and executed by a processor. The medium in which the code orlogic is encoded may also comprise transmission signals propagatingthrough space or a transmission media, such as an optical fiber, copperwire, etc. The transmission signal in which the code or logic is encodedmay further comprise a wireless signal, satellite transmission, radiowaves, infrared signals, etc. The transmission signal in which the codeor logic is encoded is capable of being transmitted by a transmittingstation and received by a receiving station, where the code or logicencoded in the transmission signal may be decoded and stored in hardwareor a computer readable medium at the receiving and transmitting stationsor devices. Additionally, the “article of manufacture” may comprise acombination of hardware and software components in which the code isembodied, processed, and executed. Of course, those skilled in the artwill recognize that many modifications may be made without departingfrom the scope of embodiments, and that the article of manufacture maycomprise any information bearing medium. For example, the article ofmanufacture comprises a storage medium having stored thereininstructions that when executed by a machine results in certainoperations being performed.

Certain embodiments can take the form of an entirely hardwareembodiment, an entirely software embodiment or an embodiment containingboth hardware and software elements. In a preferred embodiment, theinvention is implemented in software, which includes but is not limitedto firmware, resident software, microcode, etc.

Furthermore, certain embodiments can take the form of a computer programproduct accessible from a computer usable or computer readable mediumproviding program code for use by or in connection with a computer orany instruction execution system. For the purposes of this description,a computer usable or computer readable medium can be any apparatus thatcan contain, store, communicate, propagate, or transport the program foruse by or in connection with the instruction execution system,apparatus, or device. The medium can be an electronic, magnetic,optical, electromagnetic, infrared, or semiconductor system forapparatus or device) or a propagation medium. Examples of acomputer-readable medium include a semiconductor or solid state memory,magnetic tape, a removable computer diskette, a random access memory(RAM), a read-only memory (ROM), a rigid magnetic disk and an opticaldisk. Current examples of optical disks include compact disk-read onlymemory (CD-ROM), compact disk-read/write (CD-R/W) and digital video disk(DVD).

The terms “certain embodiments”, “an embodiment”, “embodiment”,“embodiments”, “the embodiment”, “the embodiments”, “one or moreembodiments”, “some embodiments”, and “one embodiment” mean one or more(but not all) embodiments unless expressly specified otherwise. Theterms “including”, “comprising”, “having” and variations thereof mean“including but not limited to”, unless expressly specified otherwise.The enumerated listing of items does not imply that any or all of theitems are mutually exclusive, unless expressly specified otherwise. Theterms “a”, “an” and “the” mean “one or more”, unless expressly specifiedotherwise.

Devices that are in communication with each other need not be incontinuous communication with each other, unless expressly specifiedotherwise. In addition, devices that are in communication with eachother may communicate directly or indirectly through one or moreintermediaries. Additionally, a description of an embodiment withseveral components in communication with each other does not imply thatall such components are required. On the contrary a variety of optionalcomponents are described to illustrate the wide variety of possibleembodiments.

Further, although process steps, method steps, algorithms or the likemay be described in a sequential order, such processes, methods andalgorithms may be configured to work in alternate orders. In otherwords, any sequence or order of steps that may be described does notnecessarily indicate a requirement that the steps be performed in thatorder. The steps of processes described herein may be performed in anyorder practical. Further, some steps may be performed simultaneously, inparallel, or concurrently.

When a single device or article is described herein, it will be apparentthat more than one device/article (whether or not they cooperate) may beused in place of a single device/article. Similarly, where more than onedevice or article is described herein (whether or not they cooperate),it will be apparent that a single device/article may be used in place ofthe more than one device or article. The functionality and/or thefeatures of a device may be alternatively embodied by one or more otherdevices which are not explicitly described as having suchfunctionality/features. Thus, other embodiments need not include thedevice itself.

FIG. 7 illustrates an exemplary computer system 700, wherein in certainembodiments the cryptographic unit 106 of the computing environment 100of FIG. 1 may be implemented in accordance with the computerarchitecture of the computer system 700. The computer system 700 mayalso be referred to as a system or a machine and may include a circuitry702 that may in certain embodiments include a processor 704. The system700 may also include a memory 706 (e.g., a volatile memory device), andstorage 708. Certain elements of the system 700 may or may not be foundin the cryptographic unit 106 of FIG. 1. The storage 708 may include anon-volatile memory device (e.g., EEPROM, ROM, PROM, RAM, DRAM, SRAM,flash, firmware, programmable logic, etc.), magnetic disk drive, opticaldisk drive, tape drive, etc. The storage 708 may comprise an internalstorage device, an attached storage device and/or a network accessiblestorage device. The system 700 may include a program logic 710 includingcode 712 that may be loaded into the memory 706 and executed by theprocessor 704 or circuitry 702. In certain embodiments, the programlogic 710 including code 712 may be stored in the storage 708. Incertain other embodiments, the program logic 710 may be implemented inthe circuitry 702. Therefore, while FIG. 7 shows the program logic 710separately from the other elements, the program logic 710 may beimplemented in the memory 706 and/or the circuitry 702.

Certain embodiments may be directed towards a method for deployingcomputing infrastructure by a person or via automated processing.Certain other embodiments may be directed towards integratingcomputer-readable code into a computing system, wherein the code incombination with the computing system is enabled to perform theoperations described earlier.

At least certain of the operations illustrated in FIGS. 2, 3 a, and 3 bmay be performed in parallel as well as sequentially, in alternativeembodiments, certain of the operations may be performed in a differentorder, modified or removed.

Furthermore, many of the software and hardware components have beendescribed in separate modules for purposes of illustration. Suchcomponents may be integrated into a fewer number of components ordivided into a larger number of components. Additionally, certainoperations described as performed by a specific component may beperformed by other components.

The data structures and components shown or referred to in FIGS. 1-7 aredescribed as having specific types of information. In alternativeembodiments, the data structures and components may be structureddifferently and have fewer, more or different fields or differentfunctions than those shown or referred to in the figures. Therefore, theforegoing description of the embodiments has been presented for thepurposes of illustration and description. It is not intended to beexhaustive or to limit the embodiments to the precise form disclosed.Many modifications and variations are possible in light of the aboveteaching.

*IEEE P1619.1 is a trademark or registered trademark of Institute ofElectrical and Electronics Engineers, Inc.

1. A method, comprising: maintaining a first write only register in anencryption engine of a cryptographic unit; maintaining a second writeonly register in a decryption engine of the cryptographic unit; andwriting a cryptographic key in the first write only register and thesecond write only register, wherein the cryptographic key isinaccessible for reading from any entity that is external to thecryptographic unit.
 2. The method of claim 1, wherein an error in thecryptographic unit causes different values to be stored in the firstwrite only register of the encryption engine and the second write onlyregister of the decryption engine, in response to writing thecryptographic key.
 3. The method of claim 1, the method furthercomprising: maintaining an error flag in the cryptographic unit;determining, by microcode included in the cryptographic unit, whetherthe first write only register has a different value than the secondwrite only register; setting the error flag to indicate an error in thecryptographic unit, in response to determining that the first write onlyregister has a different value than the second write only register; andsetting the error flag to indicate proper functioning of thecryptographic unit, in response to determining that the first write onlyregister does not have a different value than the second write onlyregister.
 4. The method of claim 3, the method further comprising:receiving encrypted data for decryption at the cryptographic unit; anddecrypting the encrypted data in the cryptographic unit by using thecryptographic key written in the second write only register of thedecryption engine, in response to determining that the error flagindicates proper functioning of the cryptographic unit.
 5. The method ofclaim 1, wherein the cryptographic key is written by microcode includedin the cryptographic unit, the method further comprising: destroying allpointers that point to the cryptographic key in the cryptographic unitafter writing the cryptographic key.
 6. The method of claim 1, whereinwriting the cryptographic key results in a first value being writing tothe first write only register and a second value being written to thesecond write only register, wherein the first value and the second valuemay be same or different, the method further comprising: receiving datafor encryption at the cryptographic unit; encrypting the received databy using the first value written to the first write only register of theencryption engine to generate encrypted data; decrypting the encrypteddata by using the second value written to the second write only registerof the decryption engine to generate decrypted data; determining whetherthe decrypted data is the same as the received data; sending thegenerated encrypted data for storage, in response to determining thatthe decrypted data is the same as the received data; and generating anerror, in response to determining that the decrypted data is not thesame as the received data.
 7. The method of claim 1, wherein thecryptographic key is a previously loaded cryptographic key, wherein anew cryptographic key is loaded by overwriting the first and the secondwrite only registers with the new cryptographic key.
 8. A cryptographicunit, comprising: memory; an encryption engine coupled to the memory; adecryption engine coupled to the memory; a first write only registerincluded in the encryption engine; a second write only register includedin the decryption engine; and a processor coupled to the memory, whereinthe processor performs operations, and wherein the operations comprisewriting a cryptographic key in the first write only register and thesecond write only register, wherein the cryptographic key isinaccessible for reading from any entity that is external to thecryptographic unit.
 9. The cryptographic unit of claim 8, wherein anerror in the cryptographic unit causes different values to be stored inthe first write only register of the encryption engine and the secondwrite only register of the decryption engine, in response to writing thecryptographic key.
 10. The cryptographic unit of claim 8, the operationsperformed by the processor further comprising: maintaining an error flagin the cryptographic unit; determining, by microcode included in thecryptographic unit, whether the first write only register has adifferent value than the second write only register; setting the errorflag to indicate an error in the cryptographic unit, in response todetermining that the first write only register has a different valuethan the second write only register; and setting the error flag toindicate proper functioning of the cryptographic unit, in response todetermining that the first write only register does not have a differentvalue than the second write only register.
 11. The cryptographic unit ofclaim 10, the operations performed by the processor further comprising:receiving encrypted data for decryption at the cryptographic unit; anddecrypting the encrypted data in the cryptographic unit by using thecryptographic key written in the second write only register of thedecryption engine, in response to determining that the error flagindicates proper functioning of the cryptographic unit.
 12. Thecryptographic unit of claim 8, wherein the cryptographic key is writtenby microcode included in the cryptographic unit, the operationsperformed by the processor further comprising: destroying all pointersthat point to the cryptographic: key in the cryptographic unit afterwriting the cryptographic key.
 13. The cryptographic unit of claim 8,wherein writing the cryptographic key results in a first value beingwriting to the first write only register and a second value beingwritten to the second write only register, wherein the first value andthe second value may be same or different, the operations performed bythe processor further comprising: receiving data for encryption at thecryptographic unit; encrypting the received data by using the firstvalue written to the first write only register of tire encryption engineto generate encrypted data; decrypting the encrypted data by using thesecond value written to the second write only register of the decryptionengine to generate decrypted data; determining whether the decrypteddata is the same as the received data; sending the generated encrypteddata for storage, in response to determining that the decrypted data isthe same as the received data; and generating an error, in response todetermining that the decrypted data is not the same as the receiveddata.
 14. The cryptographic unit of claim 8, wherein the cryptographickey is a previously loaded cryptographic key, wherein a newcryptographic key is loaded by overwriting the first and the secondwrite only registers with the new cryptographic key.
 15. An article ofmanufacture, wherein the article of manufacture includes machinereadable instructions, wherein the machine readable instructions causeoperations on a machine comprising a cryptographic unit, the operationscomprising: maintaining a first write only register in an encryptionengine of the cryptographic unit; maintaining a second write onlyregister in a decryption engine of the cryptographic unit; and writing acryptographic key in the first write only register and the second writeonly register, wherein the cryptographic key is inaccessible for readingfrom any entity that is external to the cryptographic unit.
 16. Thearticle of manufacture of claim 15, wherein an error in thecryptographic unit causes different values to be stored in the firstwrite only register of the encryption engine and the second write onlyregister of the decryption engine, in response to writing thecryptographic key.
 17. The article of manufacture of claim 15, theoperations further comprising: maintaining an error flag in thecryptographic unit; determining, by microcode included in thecryptographic unit, whether the first write only register has adifferent value than the second write only register; setting the errorflag to indicate an error in the cryptographic unit, in response todetermining that the first write only register has a different valuethan the second write only register; and setting the error flag toindicate proper functioning of the cryptographic unit, in response todetermining that the first write only register does not have a differentvalue than the second write only register.
 18. The article ofmanufacture of claim 17, the operations further comprising: receivingencrypted data for decryption at the cryptographic unit; and decryptingthe encrypted data in the cryptographic unit by using the cryptographickey written in the second write only register of the decryption engine,in response to determining that the error flag indicates properfunctioning of the cryptographic unit.
 19. The article of manufacture ofclaim 15, wherein the cryptographic key is written by microcode includedin the cryptographic unit, the operations further comprising: destroyingall pointers that point to the cryptographic key in the cryptographicunit after writing the cryptographic key.
 20. Tire article ofmanufacture of claim 15, wherein writing the cryptographic key resultsin a first value being writing to the first write only register and asecond value being written to the second write only register, whereinthe first value and the second value may be same or different, theoperations further comprising: receiving data for encryption at thecryptographic unit; encrypting the received data by using the firstvalue written to the first write only register of the encryption engineto generate encrypted data; decrypting the encrypted data by using thesecond value written to the second write only register of the decryptionengine to generate decrypted data; determining whether the decrypteddata is the same as tire received data; sending the generated encrypteddata for storage, in response to determining that the decrypted data isthe same as the received data; and generating an error, in response todetermining that the decrypted data is not the same as the receiveddata.
 21. The article of manufacture of claim 15, wherein thecryptographic key is a previously loaded cryptographic key, wherein anew cryptographic key is loaded by overwriting the first and the secondwrite only registers with the new cryptographic key.
 22. A storagelibrary, comprising: at least one storage drive; and at least onecryptographic unit included in the at least one storage drive, whereinthe at least one cryptographic unit performs: maintaining a first writeonly register in an encryption engine of the at least one cryptographicunit; maintaining a second write only register in a decryption engine ofthe at least one cryptographic unit; and writing a cryptographic key inthe first write only register and the second write only register,wherein the cryptographic key is inaccessible for reading from anyentity that is external to the at least one cryptographic unit.
 23. Thestorage library of claim 22, wherein an error in the at least onecryptographic unit causes different values to be stored in the firstwrite only register of the encryption engine and the second write onlyregister of the decryption engine, in response to writing thecryptographic key.
 24. The storage library of claim 22, wherein the atleast one cryptographic unit further performs: maintaining an error flagin the at least one cryptographic unit; determining, by microcodeincluded in the at least one cryptographic unit, whether the first writeonly register has a different value than the second write only register;setting the error flag to indicate an error in the at least onecryptographic unit, in response to determining that the first write onlyregister has a different value than the second write only register; andsetting the error flag to indicate proper functioning of the at leastone cryptographic unit, in response to determining that the first writeonly register does not have a different value than the second write onlyregister.
 25. The storage library of claim 24, wherein the at least onecryptographic unit further performs: receiving encrypted data fordecryption at the at least one cryptographic unit; and decrypting theencrypted data in the at least one cryptographic unit by using thecryptographic key written in the second write only register of thedecryption engine, in response to determining that the error flagindicates proper functioning of the at least one cryptographic unit. 26.The storage library of claim 22, wherein the cryptographic key iswritten by microcode included in the at least one cryptographic unit,wherein the at least one cryptographic unit further performs; destroyingall pointers that point to the cryptographic key in the at least onecryptographic unit, after writing the cryptographic key.
 27. The storagelibrary of claim 22, wherein writing the cryptographic key results in afirst value being writing to the first write only register and a secondvalue being written to the second write only register, wherein the firstvalue and the second value may be same or different, wherein the atleast one cryptographic unit further performs: receiving data forencryption at tire at least one cryptographic unit; encrypting thereceived data by using the first value written to the first write onlyregister of the encryption engine to generate encrypted data; decryptingthe encrypted data by using the second value written to the second writeonly register of the decryption engine to generate decrypted data;determining whether the decrypted data is the same as the received data;sending the generated encrypted data for storage, in response todetermining that the decrypted data is the same as the received data;and generating an error, in response to determining that the decrypteddata is not the same as the received data.
 28. The storage library ofclaim 22, wherein the storage library is a tape library, wherein thecryptographic key is a previously loaded cryptographic key, wherein anew cryptographic key is loaded by overwriting the first and the secondwrite only registers with the new cryptographic key.
 29. A storagedrive, comprising: removable storage medium; and at least onecryptographic unit coupled to the removable storage medium, wherein theat least one cryptographic unit performs: maintaining a first write onlyregister in an encryption engine of the at least one cryptographic unit;maintaining a second write only register in a decryption engine of theat least one cryptographic unit; and writing a cryptographic key in thefirst write only register and the second write only register, whereinthe cryptographic key is inaccessible for reading from any entity thatis external to the at least one cryptographic unit.
 30. The storagedrive of claim 29, wherein an error in the at least one cryptographicunit causes different values to be stored in the first write onlyregister of the encryption engine and the second write only register ofthe decryption engine, in response to writing the cryptographic key. 31.The storage drive of claim 29, wherein the at least one cryptographicunit further performs: maintaining an error flag in the at least onecryptographic unit; determining, by microcode included in the at leastone cryptographic unit, whether the first write only register has adifferent value than the second write only register; setting the errorflag to indicate an error in the at least one cryptographic unit, inresponse to determining that the first write only register has adifferent value than the second write only register; and setting theerror flag to indicate proper functioning of the at least onecryptographic unit, in response to determining that the first write onlyregister does not have a different value than the second write onlyregister.
 32. The storage drive of claim 31, wherein the at least onecryptographic unit further performs; receiving encrypted data fordecryption at the at least one cryptographic unit; and decrypting theencrypted data in the at least one cryptographic unit by using thecryptographic key written in the second write only register of thedecryption engine, in response to determining that the error flagindicates proper functioning of the at least one cryptographic unit. 33.The storage drive of claim 29, wherein the cryptographic key is writtenby microcode included in the at least one cryptographic unit, whereinthe at least one cryptographic unit further performs: destroying allpointers that point to the cryptographic key in the at least onecryptographic unit after writing the cryptographic key.
 34. The storagedrive of claim 29, wherein writing the cryptographic key results in afirst value being writing to the first write only register and a secondvalue being written to the second write only register, wherein the firstvalue and the second value may be same or different, wherein the atleast one cryptographic unit further performs: receiving data forencryption at the at least one cryptographic unit; encrypting thereceived data by using the first value written to the first write onlyregister of the encryption engine to generate encrypted data; decryptingthe encrypted data by using the second value written to the second writeonly register of the decryption engine to generate decrypted data;determining whether the decrypted data is the same as the received data;sending the generated encrypted data for storage, in response todetermining that the decrypted data is the same as the received data;and generating an error, in response to determining that the decrypteddata is not the same as the received data.
 35. The storage drive ofclaim 29, wherein the storage drive is a tape drive, wherein thecryptographic key is a previously loaded cryptographic key, wherein anew cryptographic key is loaded by overwriting the first and the secondwrite only registers with the new cryptographic key.